PCI Compliance - July 2010
What is PCI Compliance?
“The PCI DSS [Payment Card Industry Data Security Standard] is a multifaceted
security standard that includes requirements for security management, policies,
procedures, network architecture, software design and other critical protective
measures. This comprehensive standard is intended to help organizations proactively
protect customer account data.” https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
What does this mean for your business?
If anyone reports unlawful use of credit card information regarding your business
this may trigger an audit of your credit card processes. If it is determined your
credit card security and procedures do not meet standard requirements set by the
PCI Security Standards Council, PCI SSC, a fee up to $50,000 may be charged for
the first offense.
What changes are being made?
If any credit card information is stored in The Compounder Rx and Lab version 4.7.5.0
and higher all users must have User Security turned on with Complex Passwords enabled.
Use of complex passwords requires:
- At least seven characters (letters, numbers, special characters)
- At least one number
- At least one uppercase letter
- Complex passwords must be changed every 90 days (the software will automatically
display a prompt when a password for a specific user login must be changed)
Areas in The Compounder displaying credit card numbers will now appear with pound
signs and only the last four digits will be displayed, #### #### #### 1234. This
secure number format will also appear when printing credit card numbers. The only
area of the software where all 16 digits of the credit card can be viewed is when
editing a patient’s profile, clicking the Shipping tab, and selecting Edit Card
Information. As informed in the last communication to all users of PK with active
support, PCI DSS also requires the CVV credit card security code not to be stored
in the software (effective in version 4.7.0.0 and higher). An additional user security
feature has also been added that will allow administrators the ability to limit
specified user accounts to not bill credit cards. This additional feature is found
as a permission option in version 4.7.6.0 and higher when editing a user security
profile titled “Allow user to charge credit card.”
How can your business transition to the new changes?
Before or after updating to The Compounder version 4.7.5.0 have your store owner, IT person or person in charge of security procedures go to Lists>User Security to create new user security profiles if not already performed. Security profiles must be created in The Compounder before User Security is turned on! When creating new profiles data entered in the Program Password field needs to follow the requirements listed above in bullets, so new passwords do not have to be created a second time when User Security and Use Complex Passwords is enabled. Make sure at least one user profile in the software has all the permissions checked on the Permissions tab; this will be the Administrator account. After all user security profiles are created by your pharmacy go to File>Options>Security and check Enable User Security System and Use Complex Passwords.
If your pharmacy is already using User Security and stores credit card information in The Compounder go to File>Options>Security and enable Use Complex Passwords. The Compounder will automatically prompt those employees to enter a new password as they access the software if the complex password requirements are not met.
Where to go for further information?
For additional information on PCI Compliance and changes that may effect your pharmacy visit
https://www.pcisecuritystandards.org. For assistance making sure The Compounder’s User Security and Complex Password features are enabled contact PCCA PK Software Support at 800-331-2498.
As PCI Compliance continues to change PCCA PK Software will continue to send the necessary communications to keep you informed and up to date.